Network security framework for Internet of medical things applications: A survey

2.1.1 Network traffic monitoring and analysis

The detection and prevention of DDoS attacks in IoMT systems rely heavily on network traffic monitoring and analysis [21]. The followings are some methods and approaches for monitoring and analyzing network traffic that has proven helpful in detecting DDoS attacks in IoMT:

1. Intrusion Detection Systems (IDS): When it comes to securing essential healthcare data and the security of IoMT systems, IDSs play a pivotal role [22]. IDS allows healthcare organizations to ensure the availability, confidentiality, and integrity of IoMT systems by continually monitoring network traffic, device behavior, and potential security threats [23]. In addition, improving security, adhering to regulations, and keeping patients’ and providers’ trust necessitate using an effective intrusion detection system (IDS) architecture [21].

2. Anomaly Detection: With this method, DDoS attack anomalies in network traffic can be detected instantly. Anomalies induced by a rapid increase in traffic or strange patterns can be discovered quickly with machine learning algorithms [24] applied to data gleaned from network traffic analyses and monitoring device activity. As a result of this early identification, corrective actions can be taken immediately, such as traffic filtering [5,25], traffic redirection [26], or deploying extra infrastructure to lessen the attack’s effect. As a result, the accessibility, dependability, and uninterrupted supply of healthcare services can be protected from DDoS attacks by implementing efficient anomaly detection algorithms in IoMT systems.

3. Collaborative DDoS Detection: By using this method, numerous IoMT devices, edge devices, or network components can collaborate to detect and analyze DDoS attacks [27]. These devices can share data regarding traffic flow, anomalies, and threat indications to detect and combat DDoS attacks. As a result, attack campaigns spanning numerous devices or networks can be more easily uncovered with collaborative detection [28].

2.1.2 Traffic filtering and rate limiting

DDoS attacks is designed to crash a network or knock out a specific service by flooding it with data. Attacks on IoMT systems can potentially jeopardize patient safety by delaying or even preventing the delivery of essential medical care. Incoming network traffic is analyzed using traffic filtering to selectively permit or prohibit packets based on the established standards [29]. Thresholds can limit the flow of incoming traffic. To prevent a DDoS attack, it delays or stops traffic too high for the network or service to manage [30–33]. The IoMT systems can enforce the following methods to keep the network from getting overloaded and ensure the continuity of essential services:

1. Access Control Lists (ACLs): ACLs protect networks and other vital components of IoMT systems from DDoS violence. By using ACLs, administrators can establish strict criteria for which devices and users are granted access to the network and its resources [34]. Inevitably, we can create rules based on IP addresses, protocols, and ports. Administrators can use ACLs to let in trusted traffic while restricting access to potential threats. To keep patient data private and secure and prevent unauthorized access to critical resources, ACLs are a must in IoMT systems.

2. Firewalls: Firewalls are required to defend against DDoS attacks and to decline their effects on IoMT systems [35]. This method can protect against standard DDoS attack vectors by inspecting packets and filtering traffic based on IP addresses, protocols, and other features. Firewalls are the first line of defense, protecting sensitive patient information and essential healthcare services from aggressive traffic.

3. Rate Limiting Mechanisms: DDoS attacks frequently target overloaded networks, servers, and application services; rate-limiting helps keep those resources from being overwhelmed [36]. By limiting the volume of traffic, the system can lessen the severity of the attack without compromising the continuity or responsiveness of essential healthcare services. In addition, combining rate limitation with anomaly detection methods allows the threshold to be constantly adjusted based on typical traffic volumes.

2.1.3 Traffic diversion and scrubbing

IoMT systems can be protected from DDoS attacks through traffic diversion and scrubbing. Redirecting incoming network traffic to other systems or scrubbing centers is what is envisioned by “traffic diversion.” By redirecting traffic to scrubbing centers, IoMT systems can reduce the severity of DDoS attacks [37] by ensuring that only clean, legal traffic reaches the targeted network. This method helps keep vital healthcare services available, minimizes network congestion, and safeguards patient information and infrastructure.

1. Content Delivery Networks (CDNs): CDNs are networks of servers that are deliberately placed in multiple locations worldwide. By caching and serving material closer to end users, they contribute to improved content delivery by lowering latency and increasing performance. When DDoS assaults are launched against IoMT systems, CDNs can be used as buffers to reduce the severity of the attack [38]. By defending against the disruptive impacts of malicious traffic floods, CDNs help keep vital healthcare services available and performing at peak levels.

2. Traffic Diversion to DDoS Mitigation Services: Businesses can use mitigation techniques such as service providers to handle incoming traffic in a DDoS existence. Companies can use DDoS mitigation services’ cutting-edge traffic surveillance and filtering techniques by redirecting their customers to them [37]. Rate limitation, analysis of traffic patterns, and identifying anomalies are just a few of the methods used by these services to detect and stop DDoS attacks. Maintaining the reliability and authenticity of IoMT services is essential for enterprises to continue providing uninterrupted access to vital healthcare apps and resources amid a DDoS attack.

2.1.4 Intrusion prevention systems

DDoS attacks can be detected and stopped by networks that might implement preventive techniques like intrusion detection systems (IDS) and intrusion prevention systems (IPS). It can identify intrusions and take action automatically to prevent or lessen their impact [39]. The security of IoMT systems can be improved by using an IPS to detect and block DDoS attacks. Protecting the accessibility and integrity of essential healthcare services requires a comprehensive security architecture that includes real-time surveillance of threats, automated response skills, and integration with other layers of protection.

2.1.5 Cloud-based DDoS protection

DDoS threats can be protected by cloud-based DDoS prevention, which uses the infrastructure and resources of a cloud service provider. Protecting IoMT systems in the cloud allows them to take advantage of the knowledge and tools made available by cloud service providers in the face of DDoS attacks [39]. Regarding protecting against DDoS assaults, cloud-based solutions are preferable because of their scalability, worldwide network existence, traffic scrubbing abilities, and real-time monitoring.

2.1.6 Network resilience and redundancy

Ensure there are many pathways and redundant components in the IoMT network architecture to lessen the effects of DDoS assaults and keep availability high. Critical healthcare services can be maintained even during an attack because of the robustness of the underlying network [40]. The severity of DDoS attacks can be reduced by this method, which uses balancing loads, fault tolerance, and proactive routing. The goal of redundancy is to provide fallback options in the event of network failure or assault. By removing potential weak spots, redundancy makes IoMT networks more resistant to DDoS attacks [41].

2.1.7 Collaborative defense

Collaborative defense is a strategy against DDoS threats in IoMT environments that calls for coordinated efforts from several parties. To defend against these attacks in IoMT applications, collaborative defensive teams pool their expertise, assets, and efforts to achieve a common goal [42]. Critical healthcare services, patient information, and the IoMT ecosystem’s integrity can be protected from DDoS attacks if entities work together to enhance their capacity to identify, mitigate, and recover from such attacks.

2.1.8 Incident response and mitigation

Defenses against DDoS threats in the IoMT context must include incident response and mitigation. Organizations may protect their healthcare systems from these attacks by enforcing robust incident response and mitigation procedures [20]. DDoS assaults in IoMT require rapid identification, communication, traffic diversion, rate limitation, containment, and post-incident analysis for reaction and mitigation. These steps will lessen the consequence, guarantee continued service, and fortify future defenses against DDoS attacks in healthcare systems. These measures allow for a well-coordinated and speedy reaction, safeguarding vital healthcare services and patient data and keeping the IoMT infrastructure running smoothly. Essential medical services can be protected against DDoS attacks by using various security solutions designed specifically for the needs and limitations of IoMT systems. However, maintaining a successful defense against developing DDoS attack strategies also requires routine testing, monitoring, and updates to these security measures.

2.2.1 How common are DDoS attacks on IoMT systems, and what are their typical features?

Different varieties of DDoS attacks on IoMT systems will have other effects. Some examples and their distinguishing features are as follows:

• Volumetric attacks [43]: These attacks cause the network to crash due to the sheer volume of data sent simultaneously. The idea is to clog up the web, so only genuine users can utilize the IoMT services.

• UDP floods [44]: Attackers can send many packets to the targeted system using the User Datagram Protocol (UDP). Network congestion and server resource consumption due to these packets can cause service outages.

• SYN floods [44]: SYN floods send many SYN requests to perform the TCP three-way handshake with an advantage of the TCP protocol. This attack uses the server’s resources and prevents real users from connecting.

• Application layer attacks [45]: These attacks exploit explicit application weaknesses or employ application resources to stop IoMT services from working as intended. Examples include HTTP floods and amplified DNS attacks that cause web server overload.

• IoT Botnet attacks [46,47]: The penetration of a network of IoT devices, including IoMT devices, is what orchestrates and launches DDoS attacks. These botnets are incredibly challenging because of the enormous amounts of traffic they can generate.

• Reflection/amplification attacks [10]: Attackers take advantage of vulnerable servers or services that send back responses disproportionately large compared to the original request. The attacker can overwhelm the victim’s IoMT system by sending fake requests using the victim’s Internet protocol (IP) address as a mask.

• IoT exploitation [20]: Inadequately protected IoMT devices can be deliberately attacked and manipulated to interrupt services or contribute to wider-scale DDoS attacks. Poor security measures like weak passwords, out-of-date firmware, or missing patches can compromise IoMT devices.

2.2.2 How effective are different security measures in preventing DDoS attacks against IoMT systems, and where do they fall short?

There are advantages and disadvantages to using different security solutions for protecting IoMT systems from DDoS attacks. Some classic security measures and their distinguishing features are as follows:

• Intrusion prevention systems [39,48]: IPS solutions offer real-time protection by swiftly detecting and blocking known DDoS attack signatures that can examine data down to the packet level, spot malicious traffic, and stop attacks in their tracks. However, this system may consume much bandwidth and struggle to detect and prevent zero-day or otherwise new DDoS attacks that do not conform to existing signatures.

• Firewalls [9]: IoMT systems are protected from intruders thanks to firewalls, which impose access control restrictions. They offer fine-grained oversight of network activity and may effectively block traffic associated with known DDoS attacks. Simultaneously, firewalls may have trouble mitigating DDoS attacks that overwhelm their bandwidth capacity. In addition, complex application layer threats may evade standard firewall protections, necessitating alternative defense methods.

• Load balancers [49]: This includes the prevention of server overload and the optimal use of available resources that can protect against DDoS attacks by rerouting floods of traffic and making systems more flexible. However, they were not intended to prevent DDoS attacks; since they distribute traffic, large-scale DDoS attacks may be too much for the network to handle.

• Traffic filtering and rate-limiting mechanisms [29,36]: These defenses can spot and stop the abnormally high volumes of traffic that typically accompany DDoS threats. When dealing with complex and distributed DDoS attacks that use several IP addresses and spoofed traffic sources, these methods can have trouble differentiating good traffic from horrible attack traffic.

• Anomaly detection systems [24]: The ability of anomaly detection systems to spot deviations from typical behavior is a significant strength that can be used to spot possible DDoS attacks at an early stage. These systems may produce false positives when first deployed because they need time to learn typical operation patterns.

• Collaborative defense platforms [42]: The defense against DDoS attacks is bolstered by collaborative defense platforms, which enable information sharing and coordinated response among participating institutions. However, these systems may make cooperation and communication more difficult. Therefore, they have their drawbacks.

• Cloud-based protection services [39]: Cloud-based security services offer scalable, globally dispersed protection that successfully manages high-volume attacks, allowing them to absorb and filter traffic from DDoS attacks. Due to traffic rerouting and scrubbing procedures, cloud-based security services may cause significant delays.

2.2.3 What new methods and technologies have promise for protecting IoMT networks from DDoS attacks?

DDoS attacks in IoMT systems can be mitigated with the help of cutting-edge technology and methods like deep learning, machine learning, and blockchain. Specifically, these technologies can help with DDoS defense in the following ways:

• Deep learning and machine learning [22,49–51]: Deep learning and machine learning analyzes massive amounts of network traffic data to reveal anomalies and patterns indicating DDoS attacks. These algorithms can gather information from the past to better predict and counteract future threats. They can be used to create IDS/IPS systems that are smart enough to recognize and neutralize DDoS attacks in real time. The identification of attacks can be improved, false positives reduced, and mitigation efforts streamlined with the help of such systems.

• Blockchain [17,27,52–56]: DDoS mitigation can benefit from the consistency and decentralization offered by blockchain technology. Blockchain can make it harder for attackers to overrun a single point of failure by decentralizing control and administration of network resources among several nodes. In addition, blockchain can improve authentication and authorization processes to lessen the likelihood of DDoS attacks in IoMT systems, allowing for enhanced safety communication and identity management. Blockchain-based consensus methods can also provide collaborative defensive tactics in which organizations work together to combat DDoS attacks by exchanging attack data, coordinating mitigation measures, etc.

• Software-defined networking (SDN) [25,36,49]: SDN allows for centralized management and control of network resources by decoupling the control plane from the data plane. Effective traffic management, dynamic allocation of resources, and rapid DDoS attack mitigation are all made possible by one particular point of command. SDN can detect and alleviate DDoS attacks in real time using machine learning methods. In addition, SDN can effectively limit the effects of DDoS attacks on IoMT devices by proactively rerouting traffic and modifying network policies.

• Edge computing [28,57–59] and fog computing [37,60–62]: Reduced dependency on data centers is one of the main benefits of edge computing and fog computing, which move computational resources more attached to the network’s edge. This decentralized design can make IoMT systems more resistant to DDoS attacks by reducing the strain on essential backend services. In addition, these technologies reduce the latency and bandwidth needs of upstream mitigation by analyzing and processing network traffic at the network edge, where DDoS attacks are inclined to originate.

2.2.4 How efficient and reliable are the various security measures to prevent DDoS attacks on IoMT infrastructures?

There is a wide range in the efficacy and effectiveness of DDoS protection solutions for IoMT systems. However, some significant differences are compared below:

• Performance: High-performance defense is often provided by intrusion prevention systems (IPS) [39] and firewalls [35] that can swiftly detect and stop DDoS attack traffic. Even though load balancers [49] aid in traffic distribution, their efficiency can differ depending on their hardware and setup specifics. During high-intensity DDoS attacks, network performance may be negatively affected by the processing and decision-making cost introduced by traffic filtering [29] and rate-limiting systems [30].

• Scalability: Scalability is provided via cloud-based protection [39] services, which utilize distributed infrastructure to sift through and mitigate DDoS attacks. Software-defined networking (SDN) [63] and load balancers [49] are scalable systems that can handle increased traffic by spreading it over numerous servers or redistributing available bandwidth on the fly. Using parallel processing and distributed computing approaches, anomaly detection systems [24] and machine learning-based solutions [50] can efficiently evaluate massive amounts of network data at scale.

• Accuracy and effectiveness: DDoS attacks can be effectively mitigated by using IPS [39] and firewalls [35]. Using machine learning and historical data, anomaly detection systems [24] and other machine learning-based solutions [51] can enhance detection accuracy and keep up with ever-changing attack methods. In addition, defense platforms that encourage collaboration and real-time data exchange have been shown to significantly improve the success rate of anti-DDoS measures.

• Response time: DDoS attacks can be quickly mitigated, and service interruptions kept to a minimum with the help of real-time or near-real-time reactions from IPS [39], firewalls [9], and cloud-based security [39] services. Due to the need for analysis and decision-making, anomaly detection systems [24] and machine learning-driven solutions [51] may experience a slight latency in reaction time. The responsiveness and cooperation of engaged entities can affect response times for collaborative defense platforms [42], as these systems rely on clear interaction and collaboration among players.

2.2.5 What are the most challenging and restrictive aspects of establishing security solutions for DDoS mitigation in IoMT systems?

Several specific barriers and constraints might be encountered while attempting to implement and deploy security solutions for preventing DDoS attacks in IoMT systems. Some essential factors include:

• Resource limitations [64]: The limited computational and memory capacity of many IoMT systems makes it challenging to install resource-intensive security solutions. These limitations may reduce the efficiency of DDoS protection by limiting the security measures’ performance and scalability.

• Real-time response [65]: Service outages caused by DDoS attacks must be quickly remedied. However, time spent on evaluation, decision-making, and collaboration as part of security solutions might slow down threat detection and mitigation. It cannot be easy to achieve real-time response while preserving accuracy and efficacy.

• Evolving attack techniques [63]: Constant refinement of DDoS attack methods by malicious actors allows them to evade ever-more-common preventive measures. The security solution must keep pace with increasing attack vectors and use cutting-edge methodologies to effectively detect and counteract growing threats.

• False positives and negatives [66]: Some security measures may incorrectly label regular traffic malicious, while others may fail to identify actual DDoS attacks. Constant fine-tuning and monitoring are required to find the optimal balance between reliable detection and nuisance alarms.

• Complexity and integration [63]: Integrating and deploying security solutions can be difficult for IoMT systems due to the various components and protocols used. It is complex and requires network architecture and security knowledge to ensure that multiple security mechanisms and IoMT components function successfully.

• Cost considerations [65]: Strong DDoS mitigation systems can be expensive to implement due to the need for new hardware, software, licenses, and regular maintenance. Limited financial resources may prevent complete security solutions from being implemented in modest IoMT setups or other situations with few available resources.

• Privacy and compliance [10]: IoMT systems handle sensitive patient data, and security solutions must adhere to privacy regulations like Health Insurance Portability and Accountability Act (HIPPA). Balancing the need for DDoS protection with data privacy and compliance requirements can be challenging, requiring careful consideration and implementation of security measures.

• User experience impact [42]: Filtering authentic information or imposing rate limits for security reasons might negatively affect the user encounter by interfering with network performance. Fighting against DDoS attacks without negatively impacting the user experience is critical.

2.2.6 How should security solutions for IoMT systems consider factors like usability, scalability, cost-effectiveness, and compliance?

The following factors should be taken into account when assessing IoMT security solutions: usability [28,42], scalability [39,49], cost-effectiveness [42,63], and compliance [10].

• Usability: Security solutions should have intuitive interfaces and configuration options that are easy to understand and manage for administrators and system operators. And also consider how well the security solution integrates with the existing IoMT system components, protocols, and management interfaces. Compatibility and interoperability are crucial for seamless deployment and operation.

• Scalability: Ensure that the security solution can handle the increasing volume of traffic and growing demands of the IoMT system without compromising its effectiveness. It should be able to scale horizontally and vertically to accommodate the evolving needs of the system. In terms of flexibility, it is required to consider the ability of the security solution to adapt to changes in network architecture, infrastructure, and IoMT system expansion. Scalable solutions can accommodate new devices, services, and network growth.

• Cost-effectiveness: The overall cost of implementing and maintaining the security solution over its lifespan needs to be evaluated. The ongoing expenses, such as licensing fees, updates, support, and training, are also considered, along with acquisition costs. The resource requirements of the security solution are assessed with hardware, software, and personnel. Solutions that optimize resource utilization can reduce operational costs and improve cost-effectiveness.

• Compliance: Ensure the security solution meets relevant compliance standards and regulations specific to the healthcare industry, such as HIPAA or General Data Protection Regulation. Regarding data privacy, consider how the security solution handles and protects sensitive patient data. Ensure that it incorporates encryption, access controls, and auditing mechanisms to maintain data privacy and confidentiality.

From the aforementioned discussion, it is vital to remember that DDoS attacks can be devastating when they combine various attack channels and strategies. In addition, attackers’ tactics may develop as they learn to take advantage of new attack channels or flaws. Protecting IoMT systems against such ever-evolving threats requires constant vigilance and sophisticated DDoS security techniques. It is also noted that new ideas and technologies are still developing and could have shortcomings. Effective implementation and integration into IoMT systems necessitate emphasis on the particular use case, the system architecture, and the knowledge of security specialists. Regularly reviewing and adapting protection techniques are essential to keeping up with the ever-changing environment of DDoS attacks on IoMT systems. A meticulous DDoS security strategy for IoMT systems should contemplate the strengths and limitations of the various safety measures listed in Table 1.